龙空技术网

kubernetes的dashboard及ingress-nginx安装

BootGo 293

前言:

眼前咱们对“nginxwithlm”大概比较关注,小伙伴们都想要剖析一些“nginxwithlm”的相关内容。那么小编也在网络上汇集了一些对于“nginxwithlm””的相关文章,希望你们能喜欢,朋友们一起来学习一下吧!

1. ingress-nginx 安装

我们希望通过ingress代理的方式访问dashboard。

安装ingress-nginx

# 获取文件wget  备份[root@master1 ~]# cp deploy.yaml{,.ori}# 修改文件,以DaemonSet运行,修改网络模式为hostNetwork,增加nodeSelector,将ingress部署到master服务器上,后续文档专门会介绍污点和容忍的方式调度。[root@master1 ~]# diff deploy.yaml deploy.yaml.ori   < kind: DaemonSet---> kind: Deployment321d320<       hostNetwork: true324c323<           image: registry.aliyuncs.com/google_containers/nginx-ingress-controller:v0.46.0--->           image: k8s.gcr.io/ingress-nginx/controller:v0.46.0@sha256:52f0058bed0a17ab0fb35628ba97e8d52b5d32299fbc03cc0f6c7b9ff036b61a398d396<         ingress-controller: 'true'# 部分配置,配置太多就不粘出来了,我们重点看下deployment部分# Source: ingress-nginx/templates/controller-deployment.yamlapiVersion: apps/v1kind: DaemonSetmetadata:  labels:    helm.sh/chart: ingress-nginx-3.33.0    app.kubernetes.io/name: ingress-nginx    app.kubernetes.io/instance: ingress-nginx    app.kubernetes.io/version: 0.47.0    app.kubernetes.io/managed-by: Helm    app.kubernetes.io/component: controller  name: ingress-nginx-controller  namespace: ingress-nginxspec:  selector:    matchLabels:      app.kubernetes.io/name: ingress-nginx      app.kubernetes.io/instance: ingress-nginx      app.kubernetes.io/component: controller  revisionHistoryLimit: 10  minReadySeconds: 0  template:    metadata:      labels:        app.kubernetes.io/name: ingress-nginx        app.kubernetes.io/instance: ingress-nginx        app.kubernetes.io/component: controller    spec:      dnsPolicy: ClusterFirst      hostNetwork: true      containers:        - name: controller          image: registry.aliyuncs.com/google_containers/nginx-ingress-controller:v0.46.0          imagePullPolicy: IfNotPresent          lifecycle:            preStop:              exec:                command:                  - /wait-shutdown          args:            - /nginx-ingress-controller            - --election-id=ingress-controller-leader            - --ingress-class=nginx            - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller            - --validating-webhook=:8443            - --validating-webhook-certificate=/usr/local/certificates/cert            - --validating-webhook-key=/usr/local/certificates/key          securityContext:            capabilities:              drop:                - ALL              add:                - NET_BIND_SERVICE            runAsUser: 101            allowPrivilegeEscalation: true          env:            - name: POD_NAME              valueFrom:                fieldRef:                  fieldPath: metadata.name            - name: POD_NAMESPACE              valueFrom:                fieldRef:                  fieldPath: metadata.namespace            - name: LD_PRELOAD              value: /usr/local/lib/libmimalloc.so          livenessProbe:            failureThreshold: 5            httpGet:              path: /healthz              port: 10254              scheme: HTTP            initialDelaySeconds: 10            periodSeconds: 10            successThreshold: 1            timeoutSeconds: 1          readinessProbe:            failureThreshold: 3            httpGet:              path: /healthz              port: 10254              scheme: HTTP            initialDelaySeconds: 10            periodSeconds: 10            successThreshold: 1            timeoutSeconds: 1          ports:            - name: http              containerPort: 80              protocol: TCP            - name: https              containerPort: 443              protocol: TCP            - name: webhook              containerPort: 8443              protocol: TCP          volumeMounts:            - name: webhook-cert              mountPath: /usr/local/certificates/              readOnly: true          resources:            requests:              cpu: 100m              memory: 90Mi      nodeSelector:        kubernetes.io/os: linux        ingress-controller: 'true'      serviceAccountName: ingress-nginx      terminationGracePeriodSeconds: 300      volumes:        - name: webhook-cert          secret:            secretName: ingress-nginx-admission---# 标记节点调度到指定节点kubectl label node master1.sysit.cn ingress-controller="true"kubectl label node master2.sysit.cn ingress-controller="true"kubectl label node master3.sysit.cn ingress-controller="true"# 执行配置文件kubectl apply -f deploy.yaml
检查
[root@master1 ~]# kubectl get pods -n ingress-nginx -o wideNAME                                   READY   STATUS      RESTARTS   AGE     IP                NODE               NOMINATED NODE   READINESS GATESingress-nginx-admission-create-kpgmb   0/1     Completed   0          7m54s   10.244.197.132    node1.sysit.cn     <none>           <none>ingress-nginx-admission-patch-qtp5t    0/1     Completed   0          7m54s   10.244.96.129     master3.sysit.cn   <none>           <none>ingress-nginx-controller-2mgp5         1/1     Running     0          2m23s   192.168.112.141   master1.sysit.cn   <none>           <none>ingress-nginx-controller-mwczj         1/1     Running     1          2m23s   192.168.112.142   master2.sysit.cn   <none>           <none>ingress-nginx-controller-xgldp         1/1     Running     0          2m23s   192.168.112.143   master3.sysit.cn   <none>           <none>[root@master1 ~]# kubectl get daemonset -n ingress-nginxNAME                       DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR                                    AGEingress-nginx-controller   3         3         3       3            3           ingress-controller=true,kubernetes.io/os=linux   8m29s
2. 安装dashboard2.1 安装dashboard
kubectl apply -f 
通过proxy访问
# 执行如下命令,代理出一个只能本地访问的地址。kubectl proxy

可供访问的地址如下:

通过apiserver访问

还可以通过apiserver访问,访问地址:

;master-ip>:<apiserver-port>/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/# 如我通过master1访问,则访问地址如下:
通过nginx-ingress代理访问(本文推荐)2.2 创建ssl证书

多种方式可以创建ssl证书,我们这里选取2种方式。

openssl工具生成证书

cat >openssl.cnf<<EOF[req]distinguished_name = req_distinguished_nameprompt = yes[ req_distinguished_name ]countryName                     = Country Name (2 letter code)countryName_value               = CNstateOrProvinceName             = State or Province Name (full name)stateOrProvinceName_value       = SichuanlocalityName                    = Locality Name (eg, city)localityName_value              = ChengduorganizationName                = Organization Name (eg, company)organizationName_value          = SysitorganizationalUnitName          = Organizational Unit Name (eg, section)organizationalUnitName_value    = R & D DepartmentcommonName                      = Common Name (eg, your name or your server\'s hostname)commonName_value                = dashboard.sysit.cnemailAddress                    = Email AddressemailAddress_value              = admin@sysit.cnEOFopenssl req -newkey rsa:4096 -nodes -config openssl.cnf -days 3650 -x509 -out dashboard.crt -keyout dashboard.key

上面dashboard.crt和dashboard.key就是我们需要的文件。

cfssl工具生成证书

cat > ca-config.json << EOF{  "signing": {    "default": {      "expiry": "87600h"    },    "profiles": {      "dashboard": {         "expiry": "87600h",         "usages": [            "signing",            "key encipherment",            "server auth",            "client auth"        ]      }    }  }}EOFcat >ca-csr.json<<EOF{    "CN": "dashboard",    "key": {        "algo": "rsa",        "size": 2048    },    "names": [        {            "C": "CN",            "L": "Chengdu",            "ST": "Chengdu"        }    ]}EOFcfssl gencert --initca ca-csr.json |cfssljson -bare ca -  cat >dashbaord-csr.json<<EOF{    "CN": "*.sysit.cn",    "key": {        "algo": "rsa",        "size": 2048    },    "names": [        {            "C": "CN",            "L": "Chengdu",            "ST": "Chengdu"        }    ]}EOFcfssl gencert -ca=ca.pem -ca-key=ca-key.pem --config=ca-config.json --profile=dashboard dashbaord-csr.json |cfssljson -bare dashboard

生成的dashboard.pem和dashboard-key.pem就是我们需要的文件

导入kubernetes

kubectl create -n kube-system secret tls dashboard-ssl-name --cert dashboard.pem --key dashboard-key.pem     # 输出:secret/dashboard-ssl-name created
2.3 ingress-dashboard配置
cat > ingress-dashboard.yaml<<EOFapiVersion: networking.k8s.io/v1kind: Ingressmetadata:  name: dashboard-ingress  namespace: kubernetes-dashboard  annotations:    nginx.ingress.kubernetes.io/ingress.class: nginx    nginx.ingress.kubernetes.io/secure-backends: "true"    nginx.ingress.kubernetes.io/ssl-passthrough: "true"    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"spec:  tls:  - hosts:    - dashboard.sysit.cn    secretName: dashboard-ssl-name  rules:  - host: dashboard.sysit.cn    http:      paths:      - path: /        pathType: Prefix        backend:          service:            name: kubernetes-dashboard            port:              number: 443EOFkubectl apply -f ingress-dashboard.yaml

访问界面如下:

登录

创建管理用户

kubectl create serviceaccount admin-user -n kubernetes-dashboard

绑定用户为集群管理用户

kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:admin-user

token登录

# 直接获取token[root@master1 ~]# kubectl -n kubernetes-dashboard get secret $(kubectl -n kubernetes-dashboard get sa/admin-user -o jsonpath="{.secrets[0].name}") -o go-template="{{.data.token | base64decode}}"# 得到eyJhbGciOiJSUzI1NiIsImtpZCI6IkhwcEI0czdnbm9rOG5SdmVfOHJDcFBXcGZ0WThoNE5VR3BqbVlaM2lWcmMifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLTVqNHRiIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJiMTllYTE0Zi1hMWViLTRkNDgtOTU1YS00MDIwMjdkNDg5OWMiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.TwmQr4BzT25mDu0tRGVcWVtEDrLrWs3-Isy9Cdv7h66rU_EuSxOIroB6v5fuQAynS8VyyAzg2ygX5TICJeEqdtCsxhvCZgX7Zny5jefrRtDEgNnV7wh5-7eShmICD0cF-pVUFeAqA-Ei-trEIaTPSkI7PaDSSIDVBlUfGFGFFR_Fg5oPErBfn9SqXvVly-2lAa4jQFfoMUsPjNk7PLaNGwnQj4yP-u_jY7GLy8a1Uv4DyqN2j_kyP5SjLjNOgnLrd2Hv51BEihVNbegTSJfGrkAfnjs3Tb_4JzjcO0ir1qKdm6KXRYuoaPt6SvoK8v_WGZMTZnbruGhlbaAUw4rlZw

使用获取的token进行页面访问

kubeconfig登录

# 以通过如下操只获取上一个步骤生成的tokenDASHBOARD_LOGIN_TOKEN=$(kubectl -n kubernetes-dashboard get secret $(kubectl -n kubernetes-dashboard get sa/admin-user -o jsonpath="{.secrets[0].name}") -o go-template="{{.data.token | base64decode}}")echo ${DASHBOARD_LOGIN_TOKEN}eyJhbGciOiJSUzI1NiIsImtpZCI6IkhwcEI0czdnbm9rOG5SdmVfOHJDcFBXcGZ0WThoNE5VR3BqbVlaM2lWcmMifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLTVqNHRiIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJiMTllYTE0Zi1hMWViLTRkNDgtOTU1YS00MDIwMjdkNDg5OWMiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.TwmQr4BzT25mDu0tRGVcWVtEDrLrWs3-Isy9Cdv7h66rU_EuSxOIroB6v5fuQAynS8VyyAzg2ygX5TICJeEqdtCsxhvCZgX7Zny5jefrRtDEgNnV7wh5-7eShmICD0cF-pVUFeAqA-Ei-trEIaTPSkI7PaDSSIDVBlUfGFGFFR_Fg5oPErBfn9SqXvVly-2lAa4jQFfoMUsPjNk7PLaNGwnQj4yP-u_jY7GLy8a1Uv4DyqN2j_kyP5SjLjNOgnLrd2Hv51BEihVNbegTSJfGrkAfnjs3Tb_4JzjcO0ir1qKdm6KXRYuoaPt6SvoK8v_WGZMTZnbruGhlbaAUw4rlZw#创建使用 token 的 KubeConfig 文件kubectl config set-cluster kubernetes \  --certificate-authority=/opt/kubernetes/ssl/ca.pem \  --embed-certs=true \  --server= \  --kubeconfig=dashboard-admin.kubeconfig# 设置客户端认证参数,使用上面创建的 Tokenkubectl config set-credentials admin-user \  --token=${DASHBOARD_LOGIN_TOKEN} \  --kubeconfig=dashboard-admin.kubeconfig# 设置上下文参数kubectl config set-context default \  --cluster=kubernetes \  --user=admin-user \  --kubeconfig=dashboard-admin.kubeconfig# 设置默认上下文kubectl config use-context default --kubeconfig=dashboard-admin.kubeconfig

登录界面如下:

标签: #nginxwithlm